1
0
Fork 0
mirror of https://github.com/imjasonh/snoop synced 2026-07-14 19:35:42 +00:00
Commit graph

13 commits

Author SHA1 Message Date
Jason Hall
0f7645fabe Fix config tests to use slog.Level constants instead of strings 2026-01-14 13:42:12 -05:00
Jason Hall
d3ea4f2f59 Add KinD integration tests to CI
- Create GitHub Actions workflow for KinD integration tests
- Fix path normalization for relative paths with .. components
- Fix cgroup selection to skip snoop container itself
- Add unique namespaces per test with async cleanup
- Allow IMAGE_TAG environment variable override in test script

Both alpine-basic and busybox-controlled tests now pass with proper
file capture and path normalization.

Signed-off-by: Jason Hall <jason@chainguard.dev>
2026-01-14 13:32:44 -05:00
Jason Hall
9e5dad7dd2 Document resource limits and complete Milestone 3
- Create comprehensive RESOURCE_LIMITS.md with memory, CPU, and disk guidance
- Provide three configuration profiles (conservative, moderate, unbounded)
- Include complete Kubernetes deployment examples with resource limits
- Add Prometheus monitoring queries and recommended alerts
- Document tuning guidelines and troubleshooting procedures
- Update README.md to reference new documentation
- Mark Milestone 3 as complete in plan.md

Milestone 3 (Production Hardening) is now complete. Next: Milestone 4 (Kubernetes Integration)

Signed-off-by: Jason Hall <jason@chainguard.dev>
2026-01-14 10:56:38 -05:00
Jason Hall
544ed0dbe0 Add health check endpoint for production readiness
Implements /healthz endpoint on port 9090 alongside /metrics.

The health checker monitors:
- eBPF program load status
- Event reception (with 5min grace period)
- Report writes (with 2min grace period)

Returns 200 OK when healthy, 503 when unhealthy, with JSON
response containing detailed status including uptime, timestamps,
and diagnostic messages.

Part of Milestone 3: Production Hardening.

Signed-off-by: Jason Hall <jason@chainguard.dev>
2026-01-14 10:46:29 -05:00
Jason Hall
b3f7c96343 Add memory-bounded deduplication with LRU cache
Implements configurable memory limits for the file deduplication cache
to prevent unbounded memory growth in long-running production deployments.

- Add LRU cache implementation with configurable max size
- Add -max-unique-files flag (default: 0 = unbounded)
- Add snoop_events_evicted_total metric for monitoring
- Track and log cache evictions with delta warnings
- Add comprehensive tests for bounded and unbounded behavior

When max-unique-files is set, the cache evicts least-recently-used
entries to stay within the limit. Evicted files may be re-recorded
if accessed again, making this suitable for workloads with temporal
locality in file access patterns.

Closes milestone 3 task: Memory-bounded deduplication

Signed-off-by: Jason Hall <jason@chainguard.dev>
2026-01-14 10:44:04 -05:00
Jason Hall
87dab9839a Add ring buffer overflow detection and metrics
Implement comprehensive ring buffer overflow handling:

- Add dropped_events BPF map to track overflow in kernel space
- Create submit_event() helper that checks bpf_ringbuf_output() return
  value and atomically increments drop counter on failure
- Add Drops() method to read drop counter from eBPF map
- Add snoop_events_dropped_total Prometheus metric
- Track drop deltas and log warnings when overflow occurs
- Include drop count in JSON reports

Ring buffer overflows can occur under high load when events are
generated faster than userspace can consume them. This implementation
provides full observability into overflow events without data loss
of the drop count itself.

Signed-off-by: Jason Hall <jason@chainguard.dev>
2026-01-14 10:33:55 -05:00
Jason Hall
2dd10e3e1e Add structured logging with clog
Implement context-aware structured logging throughout the codebase using
chainguard-dev/clog. This provides better observability with configurable
log levels and structured output.

- Add -log-level flag to control verbosity (debug, info, warn, error)
- Replace all log.Println/Printf calls with structured clog logging
- Thread context through NewProbe, NewProcessor, and NewFileReporter
- Add detailed debug logging for eBPF tracepoint attachment
- Add debug logging for file operations in reporter
- Change "new file" messages to debug level to reduce noise
- Update all tests to pass context.Background()

Default log level is "info" which provides operational visibility without
excessive verbosity. Debug level shows detailed event processing.

Signed-off-by: Jason Hall <jason@chainguard.dev>
2026-01-14 10:27:27 -05:00
Jason Hall
5fc1a6dea1 Add Prometheus metrics endpoint for production observability
- Add pkg/metrics package with snoop-specific metrics:
  - Event counters (received, processed, excluded, duplicate)
  - Unique files gauge
  - Report write counters
- Expose /metrics endpoint on port 9090 (configurable via -metrics-addr flag)
- Include process and Go runtime metrics via default collectors
- Add unit tests for metrics package

Signed-off-by: Jason Hall <jason@chainguard.dev>
2026-01-14 10:21:17 -05:00
Jason Hall
7cc941aa25 Add linux build tags to ebpf/main packages, update CLAUDE.md
Signed-off-by: Jason Hall <jason@chainguard.dev>
2026-01-14 10:16:33 -05:00
Jason Hall
23303722a5 Add reporter package and wire up main.go with processor
Complete Milestone 2:
- Add pkg/reporter with atomic JSON file writes
- Update main.go to use processor for deduplication/normalization
- Add periodic report writing and graceful shutdown on SIGTERM
- Add CLI flags for report path, interval, exclusions, metadata
2026-01-14 10:09:35 -05:00
Jason Hall
d8c904c3da Add processor package with path normalization and deduplication 2026-01-14 10:05:45 -05:00
Jason Hall
23d94e3049 Add remaining syscall tracepoints for file access tracking
Trace statx, newfstatat, faccessat, faccessat2, readlinkat, openat2, and execveat.

Signed-off-by: Jason Hall <jason@chainguard.dev>
2026-01-14 10:00:10 -05:00
Jason Hall
f793a98161 initial commit
Signed-off-by: Jason Hall <jason@chainguard.dev>
2026-01-14 09:55:28 -05:00